|
Posted by Nipi on December 5, 2006, 3:15 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I got infected with a malicious executable, "GXHO.exe".
My anti virus didn't say anything about it, then this happened:
First my anti spyware warned me that it's being put with the start up,
so i rejected, and opened task manager to close it and didn't find it,
so i assumed it's not running. I went to its folder to delete it, but
it wouldn't delete because it's in use. A while passed and my firewall
asked me whether i allow SMTP access to GXHO.exe, of course i said no,
and checked the task manager again, found nothing!
I was wondering how can i close it, then i chose to restart the
computer hoping it won't start, but it did.
My only way to get rid of it was to activate the proactive defence of
kaspersky, which warned me when this process is trying to launch, and i
clicked terminate, and then could delete it.
So did anybody see anything like that before?
|
|
Posted by Sebastian Gottschalk on December 5, 2006, 3:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Nipi wrote:
> I got infected with a malicious executable, "GXHO.exe".
> My anti virus didn't say anything about it, then this happened:
> First my anti spyware warned me that it's being put with the start up,
> so i rejected, and opened task manager to close it and didn't find it,
> so i assumed it's not running. I went to its folder to delete it, but
> it wouldn't delete because it's in use. A while passed and my firewall
> asked me whether i allow SMTP access to GXHO.exe, of course i said no,
> and checked the task manager again, found nothing!
> I was wondering how can i close it, then i chose to restart the
> computer hoping it won't start, but it did.
> My only way to get rid of it was to activate the proactive defence of
> kaspersky, which warned me when this process is trying to launch, and i
> clicked terminate, and then could delete it.
> So did anybody see anything like that before?
Yes, user stupidty like running with administrator rights and not
understanding how to properly clean a compromised system is seen quite
often.
|
|
Posted by Nipi on December 5, 2006, 5:37 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Sebastian Gottschalk wrote:
> Nipi wrote:
>
> > I got infected with a malicious executable, "GXHO.exe".
> > My anti virus didn't say anything about it, then this happened:
> > First my anti spyware warned me that it's being put with the start up,
> > so i rejected, and opened task manager to close it and didn't find it,
> > so i assumed it's not running. I went to its folder to delete it, but
> > it wouldn't delete because it's in use. A while passed and my firewall
> > asked me whether i allow SMTP access to GXHO.exe, of course i said no,
> > and checked the task manager again, found nothing!
> > I was wondering how can i close it, then i chose to restart the
> > computer hoping it won't start, but it did.
> > My only way to get rid of it was to activate the proactive defence of
> > kaspersky, which warned me when this process is trying to launch, and i
> > clicked terminate, and then could delete it.
> > So did anybody see anything like that before?
>
> Yes, user stupidty like running with administrator rights and not
> understanding how to properly clean a compromised system is seen quite
> often.
Ok running with administrator rights is stupid, but you know XP doesn't
offer much choice, you can't do anything as a Limisted user, and anyway
this program was hidden in an installer which means in all cases i
needed administrator rights to run an installer.
As to how to properly clean a compromised system, well instead of just
telling me that i'm wrong why don't you say why, and what's right?
|
|
Posted by Sebastian Gottschalk on December 5, 2006, 7:06 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>> Yes, user stupidty like running with administrator rights and not
>> understanding how to properly clean a compromised system is seen quite
>> often.
>
> Ok running with administrator rights is stupid, but you know XP doesn't
> offer much choice, you can't do anything as a Limisted user,
I wonder why this hasn't ever been a problem to me. I can do anything
needed for normal work as Restricted User.
Actually this is quite convenient since it also protects against me myself
doing something dumb (hooops, ran 'rd /s /q' on the wrong directory) or
some piece of software going mad.
> and anyway this program was hidden in an installer which means in all cases i
> needed administrator rights to run an installer.
OK, then you had a problem with evaluating the trustworthyness of the
software or its source.
> As to how to properly clean a compromised system, well instead of just
> telling me that i'm wrong why don't you say why, and what's right?
You should already know: flatten and rebuild. Or restore from a known-safe
backup. Or compare against a trustworthy install base (f.e. checksums of
all files after installation). Most likely the first one will apply.
Is it really too hard to understand that a compromised system isn't
trustworthy any more and therefore has to be brought back into a
well-defined state?
|
|
Posted by MC on December 7, 2006, 6:01 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> You should already know: flatten and rebuild. Or restore from a known-safe
> backup. Or compare against a trustworthy install base (f.e. checksums of
> all files after installation). Most likely the first one will apply.
>
> Is it really too hard to understand that a compromised system isn't
> trustworthy any more and therefore has to be brought back into a
> well-defined state?
Actually, by the looks of it this user has been targeted by something
that runs at a service/driver level (and won't show up in taskmanager)
-or- is actively hiding itself from taskman. A rebuild isn't needed, at
all, and will just cause a lot of lost time. He's already found the
location of the file, and it being "in use" is easily avoided by
restarting in safe mode, and then killing the .exe file (make sure you
get every occurrence of the file). Going into the registry in safe mode
and doing a search on the file name will most likely turn up some hits
where it's started from, too. You might want to kill those entries as well.
It doesn't look like his system was at all compromised, it just has a
program that is being stealthy, running in startup.
I'm curious to know: which installer was this file hidden in?
|
| Similar Threads | Posted | | SSRT4785 rev. 0 HP-UX Process Resource Manager (PRM) potential data corruption | August 9, 2004, 12:29 pm |
| remote process viewer... | February 20, 2006, 5:10 pm |
| Credit card authorization process | July 1, 2004, 1:37 pm |
| knowing which process accesses which ports | March 25, 2005, 10:19 pm |
| What Windows process initiate connection to other Port 139? | July 27, 2004, 3:37 pm |
| Generic Host Process for Win32 Services, Port 32729 | September 26, 2005, 12:41 pm |
| IT Security Manager Opportunity - Phoenix, AZ | February 3, 2006, 7:09 pm |
| Norton Internet Security Download Manager | March 30, 2005, 11:32 am |
| HPSBUX0101-137 HP9000 series 700/800 Support Tools Manager | April 8, 2004, 6:37 am |
| HPSBUX0101-137 rev.3 HP-UX Support Tools Manager (xstm,cstm,stm) | May 17, 2004, 2:11 pm |
|
XML site map